[Libwebsockets] unknown headers considered dangerous

Andy Green andy at warmcat.com
Wed Oct 14 08:33:40 CEST 2015



On 16 May 2015 05:30:20 GMT+09:00, Danomi Czaski <djczaski at gmail.com> wrote:
>My libwebsocket client isn't able to connect to a websocket server
>based upon Microsoft IIS. The first problem I hit is a parser error
>because the server returns additional response headers ("X-*") that
>aren't known to libwebsocket.
>
>    Cache-Control:private
>    Connection:Upgrade
>    Date:Fri, 15 May 2015 15:11:29 GMT
>    Sec-WebSocket-Accept:CVB5IoipLn3LKyulNQ1H2Ox4sC4=
>    Server:Microsoft-IIS/8.0
>    Upgrade:Websocket
>    X-AspNet-Version:4.0.30319
>    X-Powered-By:ASP.NET
>X-SourceFiles:=?UTF-8?B?QzpccHJvamVjdHNcQXBwc1xXZWJTb2NrZXRTZXJ2ZXJUZXN0XFdlYlNvY2tldFNlcnZlclxhcGlcZGV2aWNlXA==?=
>
>Is there a reason for considering unknown headers so dangerous rather
>than just ignoring them? The patch is simple enough, but I'd hate to
>have to patch libwebsocket for this. Is this something that could be
>added?

Sorry for the late reply.

Currently, it only checks for unknown method in server mode

		/*
		 * Server needs to look out for unknown methods...
		 */
		if (wsi->u.hdr.lextable_pos < 0 &&
		    wsi->mode == LWS_CONNMODE_HTTP_SERVING) {

So I think this should have been solved.

-Andy

>    $ git diff lib/parsers.c
>    diff --git a/lib/parsers.c b/lib/parsers.c
>    index 954eeaa..54a90aa 100644
>    --- a/lib/parsers.c
>    +++ b/lib/parsers.c
>    @@ -424,7 +424,7 @@ swallow:
>
>                            if (m == ARRAY_SIZE(methods)) {
>                              lwsl_info("Unknown method - dropping\n");
>    -                               return -1;
>    +                               wsi->u.hdr.parser_state =
>WSI_TOKEN_SKIPPING;
>                            }
>                            break;
>                    }
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets




More information about the Libwebsockets mailing list